topic App-ID Override Policy Matching in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/app-id-override-policy-matching/m-p/521110#M576 <P>Is there a way to identify what traffic is hitting a specific App-ID Override policy?</P> <P>&nbsp;</P> <P>We have several poorly configured App-ID override policies I'm trying to clean up and consolidate but they override to the same custom application, and it is not obvious from the logs which app-id override policy is actually being hit.</P> <P>1) Good policy</P> <P>2) Bad policy</P> <P>3) Bad policy</P> <P>&nbsp;</P> <P>Policy 2-3 are still being hit but I'm not sure why as policy 1 should be catching everything. I've looked at the traffic logs for traffic matching the custom app-id and manually cross-referenced that with the source/destination/port for policy 1 and everything should match, but there is still incrementing hits on policies 2-3.</P> <P>&nbsp;</P> <P>From the CLI it seems you can do a "show session all filter..." on Security, NAT, PBF, and QoS policies but of course not App-ID; and that wouldn't give me any historical data anyway.</P> <P>&nbsp;</P> <P>You also can't seem to filter reports to the UUID of the app-id override policy...only security policy.</P> <P>&nbsp;</P> <P>Any ideas?</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 14 Nov 2022 01:20:13 GMT SARowe_NZ 2022-11-14T01:20:13Z App-ID Override Policy Matching https://live.paloaltonetworks.com/t5/next-generation-firewall/app-id-override-policy-matching/m-p/521110#M576 <P>Is there a way to identify what traffic is hitting a specific App-ID Override policy?</P> <P>&nbsp;</P> <P>We have several poorly configured App-ID override policies I'm trying to clean up and consolidate but they override to the same custom application, and it is not obvious from the logs which app-id override policy is actually being hit.</P> <P>1) Good policy</P> <P>2) Bad policy</P> <P>3) Bad policy</P> <P>&nbsp;</P> <P>Policy 2-3 are still being hit but I'm not sure why as policy 1 should be catching everything. I've looked at the traffic logs for traffic matching the custom app-id and manually cross-referenced that with the source/destination/port for policy 1 and everything should match, but there is still incrementing hits on policies 2-3.</P> <P>&nbsp;</P> <P>From the CLI it seems you can do a "show session all filter..." on Security, NAT, PBF, and QoS policies but of course not App-ID; and that wouldn't give me any historical data anyway.</P> <P>&nbsp;</P> <P>You also can't seem to filter reports to the UUID of the app-id override policy...only security policy.</P> <P>&nbsp;</P> <P>Any ideas?</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 14 Nov 2022 01:20:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/app-id-override-policy-matching/m-p/521110#M576 SARowe_NZ 2022-11-14T01:20:13Z